// security research blog
Real Bugs.Real Bounties.
Case studies, vulnerability writeups, and penetration testing insights from active bug bounty research across 100+ programs.
Recent Writeups
Hand-picked findings from real bug bounty engagements. Every step reproducible, every disclosure responsible.
Penetration Testing vs Vulnerability Assessment: What's the Difference?
A vulnerability assessment finds weaknesses; a penetration test proves which ones an attacker can actually exploit. Here's the real difference, and why "VAPT" means doing both.
→What Is Security Testing? Types, Process & Why It Matters
A complete, plain-English guide to security testing: what it is, why your clients and auditors require it, the main types (VAPT, SAST, DAST, pentesting), who performs it, and how to get started.
→SAST vs DAST vs Black Box: Application Security Testing Explained
SAST reads your code, DAST attacks your running app, black-box testing simulates an outside attacker. A plain-English guide to the acronyms, and when to use each.
→What Is API Security Testing? (And Why APIs Are the New Front Door)
APIs now carry most of an application's real attack surface. What API security testing is, what gets tested by hand, and why it differs from testing the web UI in front of it.
→Web Application Security Testing: What It Is & How It's Done
What web application security testing actually is, what gets tested, and the step-by-step process a manual web pentest follows, from recon to a report your client's auditor will accept.
→The Scoping Call: 17 Questions We Ask Before Quoting
Before we send a pentest quote, we get on a 30-minute scoping call and work through 17 questions. Here are all of them, why each one matters for accurate pricing, and the questions you should ask us back.
→Inside Our 5-Day Web Pentest: A Day-by-Day Breakdown
What are we actually doing for those five days? An hour-by-hour, day-by-day breakdown of a real web application engagement: recon, auth testing, business logic, reporting, and the included re-test.
→What a SOC 2-Ready Pentest Report Contains (With a Sample TOC)
A SOC 2-ready pentest report isn't a Nessus PDF. Here's the actual table of contents we deliver, what each section contains, and why your overseas client's auditor wants every part of it.
→SOC 2 vs ISO 27001 vs "Just a Pentest"
Your client says "send your SOC 2" or "do you have ISO 27001" or "just send a pentest". They're three completely different things. Here's how to tell which one your client actually needs, with rough costs and timelines.
→Why Your Office Wi-Fi Is the Cheapest Way Into Your Production Servers
Most software houses keep production credentials on dev laptops sitting on the office Wi-Fi. Here's the path a network pentest walks (guest Wi-Fi to production database) and how to close it.
→Your US Client Asked for a "VAPT Report". Here's What They Want.
A US, UK, or EU client just emailed asking for a "VAPT report" before they sign. Here's exactly what they want, what their security team will look at first, and what to send back.
→The 7 AWS Misconfigurations We Find in Almost Every Startup Audit
Public S3 buckets, over-permissive IAM, exposed metadata, world-open security groups. Seven AWS misconfigurations we find on nearly every cloud audit, and how to fix each in under a day.
→OWASP API Top 10 for Non-Security CTOs: The 4 That Actually Matter
If your product is a React front end on a REST or GraphQL backend, the API Top 10 maps to your real attack surface better than the web list. Here are the four categories that cause most of the damage.
→OWASP Top 10 in Pakistani SaaS: What Each Bug Actually Looks Like
The OWASP Top 10 reads like a textbook. Here's what each item actually looks like in real Pakistani SaaS products we've tested (HR platforms, fintechs, logistics dashboards) and what to fix first.
→Hardcoded API Keys in Android Apps: A 5-Minute Audit Any Dev Can Do
About 7 of 10 Android apps we test ship with an API key, AWS secret, or token baked into the binary. Here's the exact 5-minute audit we run on your APK, so you can clean it up before we even start.
→Subdomain Takeover via Yumpu Misconfiguration
A dangling CNAME pointing at an orphaned Yumpu publication on a redacted target let me reclaim a trusted subdomain and serve content under its TLS cert. Full recon-to-report walkthrough.
MFA Bypass Techniques from Real Bug Bounty Cases
Eleven real-world MFA bypass vulnerabilities: rate-limiting flaws, response manipulation, OAuth bypasses, session race conditions, and a pre-auth phone number leak via XML content-type switching.
→Older writeups live on Hassan's Medium. Native posts on this site will continue to expand as new disclosures clear their embargo windows.
Need this kind of testing on your stack?
The same recon and exploitation mindset that surfaces these public findings powers every VAPT.PK engagement.